Purge object without authenticating

Project:RUcore dlr/EDIT
Version:7.6.3
Component:Code
Category:bug report
Priority:critical
Assigned:chadmills
Status:closed
Description

If you call the purgeplain.php script without authenticating the object will be purged and then you will be redirected to login. The effect is that any obejt in the repository can be purged without authenticating into dlr/EDIT.

Comments

#1

I'm surprised at this. The script exits if someone is not authenticated. Are you sure you were not still authenticated through an older shib session in the browser?

#2

Yes I am sure. After the purge I am redirected to login.

#3

I looked into this some more. If it helps this is the request from my client in the apache logs.

172.18.162.207 - - [20/Oct/2015:11:58:21 -0400] "GET /dlr/EDIT/purgeplain.php?pid=rutgers-lib:202271 HTTP/1.1" 302 2231

Once I initiated the contact the browser hung for a few seconds and redirected me to the SSO login. If it were a previous session that was still authenticated I would not expect to get redirected to login.

#4

Assigned to:triggs» chadmills
Status:active» test

I think I found the problem. The sso.php check was returning a $check['level'] of "" for an unauthenticated user before redirecting. That was fine for outer pages, but purgeplain.php and some other inner pages were testing for a user level > 1. I set it to default to a user level of 100 rather than "" so that > 1 will always be true except for an authenticated level 1 user.

#5

Status:test» fixed

Tested on dev. Works as expected now.

#6

Version:7.7» 7.6.3

#7

Cleared test environment as well.

#8

Status:fixed» test

I've tested on reo-staging, but it could use verification. Thanks.

#9

Tested on staging. Works as expected.

#10

Status:test» fixed

#11

Fix was put in place on Production.

#12

Status:fixed» closed

Back to top